So, the iThemes site was hacked
On September 23rd, the iThemes team announced that their website had been attacked and their database was compromised. Now, before I dig into that, you may have heard of iThemes in one of two places:
- You use their theme framework to power your WordPress theme.
- You use the iThemes Security plugin.
For me, it was the latter. So when I heard that their site was hacked, my first reaction was to chuckle a little. How embarrassing. You create a WordPress security plugin—and even sell a “pro” version of it for $80+—and yet your own site gets hacked.
Yes, I laughed a little. But you know what, I figured: it could happen to anyone. No matter how much protection you put around your site, people are still going to try to find a way to weasel in. I totally get that. I help run a super large gaming fan site that gets millions of hits per month, and we were CONSTANTLY targeted by hackers because of our tempting database full of usernames and passwords. And even with awesome coders and server admins looking after us, we still got hacked a couple times.
However, it was the second update that led me to create this post.
iThemes stores passwords in plain text
This is something you JUST DON’T DO.
Normally when you store usernames and passwords, the passwords are encrypted. So if someone were to get ahold of your database, they would see the username in plain text (just like “nosegraze”) but then the password WOULDN’T be stored in plain text. Let’s say your password was “skittles”. It wouldn’t actually be stored in the database as “skittles”. Instead, it would be encrypted and then the encrypted version would be stored. So in the database, you would see something like “27c07e1c9bcd1ac7e5e995ed92534d77”. But you can’t actually login with that value, so it’s useless to a hacker. Yes they could work to break the encryption, but that’s a lot more difficult…
It’s just common knowledge that unless you’re being very insecure, you don’t store passwords in plain text. And yet, iThemes did.
There is no easy way to say this: We were storing your passwords in clear-text. This directly impacted approximately 60,000 of our users, past and current.
What Does Plain Text Mean?
This means that the passwords were not protected as they should have been. They were not hashed, salted or any combination of techniques. This means if the attacker was able to see / save the passwords they have a new username / password list.
Cory Miller, iThemes
Honestly, if I were Cory Miller I’d want to bury my head in the sand, quit online life, and become a solitary citrus farmer. It’s pretty appalling that someone who SELLS a security plugin would have passwords stored in plain text since 2009. That’s one of the worst security mistakes there is and there’s no excuse for it. I wouldn’t want to buy a security plugin run by people who don’t do their own security correctly.
Does this make you lose faith in iThemes Security?
I don’t know about you, but I now look at iThemes security with a lot more scepticism. If they fucked up their own site so badly, how can any of us be confident that the iThemes Security plugin is properly doing its job? Luckily for me, I take many of my own security measures and don’t rely too heavily on the plugin. But if this plugin is all you use, how do you feel about it now?
Note: this doesn’t actually affect the WordPress plugin
Just a disclaimer, the iThemes website getting hacked doesn’t actually affect the iThemes Security plugin at all. This does not mean the hackers suddenly have your WordPress login details. This attack was only made on the iThemes website, which stored login information, IP addresses, and receipts for purchases made through their website.